/{.github,.goreleaser}: enable embedded by default on mac

[coffeegoddd]

Fixes #2970

[Copilot]

Pull request overview

This PR updates the release automation to ensure macOS binaries are built with CGO_ENABLED=1 (so embedded Dolt works by default on macOS), by moving darwin builds out of GoReleaser’s Linux job into a dedicated macOS GitHub Actions job and adjusting Homebrew formula publishing accordingly.

Changes:

• Remove darwin build targets from .goreleaser.yml and document that macOS builds are produced in CI with CGO enabled.
• Add a goreleaser-macos job to build/sign/package/upload darwin arm64+amd64 archives and append their checksums to the release.
• Disable GoReleaser Homebrew upload and add an update-homebrew-formula job that generates/pushes a formula after all archives are uploaded.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
.goreleaser.yml	Removes darwin build definitions and disables Homebrew upload since macOS archives are now produced outside GoReleaser.
.github/workflows/release.yml	Adds macOS-native build + embedded-dolt smoke test + release upload, and introduces a post-upload Homebrew formula generation step.

[hilmes]

Review: /{.github,.goreleaser}: enable embedded by default on mac

Verdict: Well-architected CI overhaul. The macOS builds move from CGO_ENABLED=0 (server-only) to CGO_ENABLED=1 (embedded Dolt) with proper verification gates. Two minor fragilities in the Homebrew formula generation, neither blocking.

2 files, +202 −40. 1 commit. Removes darwin builds from goreleaser (ran on Ubuntu with CGO_ENABLED=0), replaces with a dedicated goreleaser-macos job running natively on macOS with CGO_ENABLED=1. Adds a new update-homebrew-formula job that generates the formula after all platform archives exist.

---

Architecture: Three-job pipeline ✅

goreleaser (ubuntu)          → linux, windows, freebsd, android + checksums.txt
goreleaser-macos (macos)     → darwin arm64/amd64 (CGO_ENABLED=1) + append checksums
update-homebrew-formula      → generate + push formula with all platform SHAs

The needs: chain is correct: goreleaser-macos waits for goreleaser (release + checksums exist), update-homebrew-formula waits for both (all archives uploaded). No race conditions in the dependency graph.

Why this matters: macOS embedded Dolt requires CGO, and CGO cross-compilation for darwin from Linux (via zig/osxcross) is notoriously fragile. Running natively on macos-latest is the right call.

---

macOS build steps: Correct and thorough ✅

Build flags match the old goreleaser config: -tags "gms_pure_go netgo" — same as the removed bd-darwin-amd64/bd-darwin-arm64 entries, except now with CGO_ENABLED=1 instead of 0.

amd64 cross-compilation: CC: clang -arch x86_64 is the standard Xcode cross-compile approach on arm64 macOS. Correct.

Three verification gates per binary:

1. verify-cgo.sh — confirms CGO_ENABLED=1 in the binary metadata (prevents silent fallback to pure Go)
2. otool -L | grep icu — prevents ICU runtime dependency leakage (the gms_pure_go tag should prevent this, but defense in depth)
3. codesign -s - -f — ad-hoc code signing (required for macOS Gatekeeper on arm64)

Smoke test: Runs bd init → bd create → bd list → verifies no dolt sql-server process. This confirms embedded mode works end-to-end on the actual arm64 binary. Good. Only the arm64 binary is smoke-tested (runs natively on macos-latest); amd64 can't run natively on an arm64 runner — acceptable tradeoff.

ldflags parity: The manual build replicates the goreleaser ldflags exactly: -s -w + Version/Build/Commit/Branch. The Build uses git rev-parse --short HEAD matching goreleaser's {{.ShortCommit}}. ✅

---

Archive + checksum integration ✅

Archive naming: beads_${version}_darwin_${arch}.tar.gz — matches goreleaser's name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}". Contents (bd, LICENSE, README.md, CHANGELOG.md) match goreleaser's files: config.

Checksum append flow: Downloads goreleaser's checksums.txt, appends darwin entries via shasum -a 256, re-uploads with --clobber. The update-homebrew-formula job then reads the complete file. Sequencing guaranteed by needs:.

---

Goreleaser changes ✅

Darwin builds removed: The two bd-darwin-amd64 and bd-darwin-arm64 build entries (CGO_ENABLED=0) are replaced with a comment pointing to the new CI job. Clean.

Homebrew skip_upload: true: Since goreleaser no longer produces darwin archives, it can't generate a complete Homebrew formula. Setting skip_upload: true prevents goreleaser from pushing an incomplete formula. The formula is now generated by the dedicated update-homebrew-formula job. Correct approach.

Note: goreleaser will still attempt to generate the formula locally (saved to dist/) even with skip_upload: true. Without darwin archives, the generated formula will be incomplete — but since it's never uploaded, this is harmless.

---

🟡 Homebrew formula: two fragilities (not blocking)

1. Heredoc indentation stripping

          cat > /tmp/bd.rb <<FORMULA
          # typed: false
          ...
          FORMULA
          sed -i 's/^          //' /tmp/bd.rb

The sed strips exactly 10 leading spaces — matching the YAML run: block indentation. This works but is fragile: reformatting the YAML (e.g., different indentation level) silently breaks the formula. Consider using a heredoc with - (<<-FORMULA with tabs) or generating the formula without leading whitespace (assign to a variable or use printf).

2. Silent failure on checksum download

gh release download "${tag}" --pattern checksums.txt --dir /tmp || true

The || true suppresses download failures. If this fails (unlikely given needs: guarantees, but possible with transient GitHub API errors), get_sha256 returns empty strings, and the formula gets pushed with empty sha256 values. Homebrew would reject installs, but the broken formula would be in the tap. Consider failing the job instead of silencing the error:

gh release download "${tag}" --pattern checksums.txt --dir /tmp

Or at minimum, validate the SHAs before generating the formula:

if [[ -z "$darwin_arm64_sha" || -z "$darwin_amd64_sha" || -z "$linux_amd64_sha" || -z "$linux_arm64_sha" ]]; then
  echo "ERROR: missing checksums" >&2; exit 1
fi

---

Summary

Component	Verdict	Notes
macOS build job	✅ Excellent	Native CGO, three verification gates, smoke test
Archive/checksum integration	✅ Correct	Naming matches goreleaser, append flow sequenced properly
Goreleaser darwin removal	✅ Clean	skip_upload prevents incomplete formula push
Homebrew formula generation	🟡 Functional	Indentation fragility + silent checksum failure edge case
Job dependency chain	✅ Correct	No race conditions

Solid infrastructure change. The two Homebrew fragilities are worth addressing in a follow-up but don't block shipping.